[krbdev.mit.edu #8296] Bug in src/plugins/preauth/pkinit/pkinit_crypto_openssl.c function load_cas_and_crls
Machin@krbdev.mit.edu
Machin at krbdev.mit.edu
Fri Dec 4 08:45:27 EST 2015
DOE PIV certificates have 2 signing CAs that have the same subject name but different X509v3 Subject Key Identifiers.
Their CRL distribution links are:
http://sspweb.managed.entrust.com/CRLs/EMSSSPCA1.crl
http://sspweb.managed.entrust.com/CRLs/EMSSSPCA2.crl
Their corresponding CRLs have issuer names and Authority Key Identifier of:
/C=US/O=Entrust/OU=Certification Authorities/OU=Entrust Managed Services SSP CA
Hash file 99b3b749.r0
X509v3 Authority Key Identifier:
keyid:D3:CE:E7:5B:89:A7:CD:6C:91:C6:67:36:A9:58:72:09:EC:E2:39:F3
The newer badges have an issuing CA with the same name but a different X509v3 Authority Key Identifier:
/C=US/O=Entrust/OU=Certification Authorities/OU=Entrust Managed Services SSP CA
Hash file 99b3b749.r0
X509v3 Authority Key Identifier:
keyid:55:B4:6C:33:3F:E3:60:1A:A7:FF:C3:ED:B4:F7:E4:04:DA:29:D0:63
The code below will not allow both CRLs to be loaded because X509_CRL_cmp only compares issuer names and not both issuer name and Authority Key Identifier.
This causes pkinit certificate verification (X509_verify_cert) to fail with the code X509_V_ERR_UNABLE_TO_GET_CRL.
By eliminating the code and just calling "sk_X509_CRL_push(ca_crls, X509_CRL_dup(xi->crl));" fixes the problem.
A better fix would to compare issuer name and Authority Key Identifier but I could not find an openssl calls that did that.
In pkinit_crypto_openssl.c function load_cas_and_crls()
for (j = 0; j < size; j++) {
X509_CRL *x = sk_X509_CRL_value(ca_crls, j);
flag = X509_CRL_cmp(x, xi->crl);
if (flag == 0)
break;
else
continue;
}
if (flag != 0) {
pkiDebug("%s: pushing xi->crl onto ca_crl\n", __FUNCTION__);
sk_X509_CRL_push(ca_crls, X509_CRL_dup(xi->crl));
}
More information about the krb5-bugs
mailing list